Security B-Sides has long since emerged from the “Indie” shadow it was born from and now represents and produces some of the most amazing content and speakers in the security (mainstream and otherwise) industry.

So why don’t I speak at any of them?

Two reasons.

1) Many of the B-Sides get spun up quickly and without much notice. Those that I might be able to travel to/attend take place alongside the bigger conferences which I am required to attend and/or have committed to speak at far in advance, and…

2) I speak at 30-40 conferences a year. People don’t need to hear me prattle on about the same things I’ve spoken about elsewhere. Further, many of the folks who respond with awesome CFP submissions to B-Sides don’t (for a number of reasons) speak at the larger conferences…so why should I take up space when others should be given this amazing opportunity?

So there you have it.

Support B-Sides. One day I’ll get to one live. Until then, I’ll watch the live streams.

This morning’s dialog on Twitter from @wmremes and @singe reminded me of something that’s been bouncing around in my head for some time.

Wim blogged about a tweet Jeff Moss made regarding Black Hat DC in which he suggested CFP submissions should focus on offense (versus defense.)

Black Hat (and Defcon) have long focused on presentations which highlight novel emerging attacks. There are generally not a lot of high-profile “defensive” presentations/talks because for the most part, they’re just not sexy, generally they involve hard work/cultural realignment and the reality that as hard as we try, attackers will always out-innovate and out-pace defenders.

More realistically, offense is sexy and offense sells — and it often sells defense. That’s why vendors sponsor those shows in the first place.

Along these lines, one will notice that within our industry, the defining criterion for the attack versus defend talks and those that give them, is one’s ability to write code and produce tools that demonstrate the vulnerability via exploit. Conceptual vulnerabilities paired with non-existent exploits are generally thought of as fodder for academia. Only when a tool that weaponizes an attack shows up do people pay attention.

Zero days rule by definition. There’s no analog on the defensive side unless you buy into marketing like “…ahead of the threat.” *cough* Defense for offense that doesn’t exist generally doesn’t get the majority of the funding

So it’s no wonder that security “rockstars” in our industry are generally those who produce attack/offensive code which illustrate how a vector can be exploited. It’s tangible. It’s demonstrable. It’s sexy.

On the other hand, most defenders are reconciled to using tools that others wrote — or become specialists in the integration of them — in order to parlay some advantage over the ever-increasing wares of the former.

Think of those folks who represent the security industry in terms of mindshare and get the most amount of press. Overwhelmingly it’s those “hax0rs” who write cool tools — tools that are more offensive in nature, even if they produce results oriented toward allowing practitioners to defend better (or at least that’s how they’re sold.) That said, there are also some folks who *do* code and *do* create things that are defensive in nature.

I believe the answer lies in balance; we need flashy exploits (no matter how impractical/irrelevant they may be to a large amount of the population) to drive awareness. We also need more practitioner/governance talks to give people platforms upon which they can start to architect solutions. We need more defenders to be able to write code.

Perhaps that’s what Richard Bejtlich meant when he tweeted: “Real security is built, not bought.” That’s an interesting statement on lots of fronts. I’m selfishly taking Richard’s statement out of context to support my point, so hopefully he’ll forgive me.

That said, I don’t write code. More specifically, I don’t write code well. I have hundreds of ideas of things I’d like to do but can’t bridge the gap between ideation and proof-of-concept because I can’t write code.

This is why I often “invent” scenarios I find plausible, talk about them, and then get people thinking about how we would defend against them — usually in the vacuum of either offensive or defensive tools being available, or at least realized.

Sometimes there aren’t good answers.

I hope we focus on this balance more at shows like Black Hat — I’m lucky enough to get to present my “research” there despite it being defensive in nature but we need more defensive tools and talks to make this a reality.

There are many projects in my time that I’ve been passionate about, honored to have curated and personally gratified by others’ responses to, but none more than HacKid.

What is HacKid?

HacKid is a new kind of non-profit conference focused on providing an interactive, hands-on experience for the entire family — kids aged 5-17 & their parents — in order to raise awareness, excitement and understanding of technology, gaming, mathematics, safety, privacy, networking, security and engineering and their impact on society and culture.

The first HacKid conference is in Cambridge, MA on the weekend of October 9th and 10th, 2010.

The activities and sessions at HacKid are many and varied in topic. Some of the things the kids and parents will do are:

Learn About Online & Social Networking Safety

Make a Podcast

Learn How to Deal With Cyber-Bullies

Learn Kodu & Scratch Programming Languages

Build An Interactive Robot 3D printer

Discover Hair Hacking

Learn How the Internet works

Get Creative With Food Hacking

Manipulate Hardware & Software For Fun

Dive Into Electronics

Learn magic

Build a trebuchet

Meet & interact With Law Enforcement

Learn About Low-impact Martial Arts/Self-Defense

There’s a ton of stuff to learn and get excited about.

The gist of the idea for HacKid (sounds like “hacked,” get it?) came about when I took my three daughters aged 6, 9 and 14 along with me to the Source Security conference in Boston. It was fantastic to have them engage with my friends, colleagues and audience members as well as ask all sorts of interesting questions regarding the conference, however while they were interested in some things, it wasn’t engaging for them because it wasn’t relevant, it wasn’t interactive, it wasn’t hands-on…it wasn’t targeted to them.

…and it wasn’t meant to be.

I went home that night, registered the domain name, tweeted about it and was overwhelmed with people who said they wanted to help make this a reality. The next day I reached out to the folks at Microsoft’s New England Research and Development (NERD) center in Cambridge and they kindly volunteered their amazing facilities. From that moment on (a few months) it’s been on like Donkey Kong.

There are a ton of venues I haven’t added here because they are directly related to customer visits that may not wish to be disclosed. You can see the prior list of speaking engagements listed here.

[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere. It also allows folks to plan meet-ups]

This year looks to be another swell get-together in Vegas. I had to miss last year (first time in…forever) so I’m looking forward to 112 degrees, recirculated air, and stumble-drunk hax0rs jackpotting ATMs and commandeering elevators.

I’ll be getting in on the 27th. I have a keynote at the Cloud Security Alliance Summit on the 28th (co-located within Black Hat,) a talk on the 29th at Black Hat (Cloudinomicon) from 10am-11am and I’ll be on another FAIL panel at Defcon with the boys. I’ve got a bunch of (gasp!) customer meetings and (gasp! x2) work stuff to do, but plenty of time for the usual.

I’m going to try to hit Cobra Kai, Xtreme Couture or the Tapout facilities whilst there for some no-gi grappling or even BJJ if I can find a class. Either way, there are some hard core P90X’ers that I’m sure I can con into working out in 90 degree, 6am weather.

Rumors of mojitos and cigars at Casa Fuente are completely unfounded. Completely.

A few weeks ago I saw some RT’s/@’s on Twitter referencing John Flowers and that name brought back some memories.

Today I sent a tweet to John asking him if I remembered correctly that he was at SANS in New Orleans in 1999 when he was still at Hiverworld.

He responded back confirming he was, indeed, at SANS ’99. I remarked that this was where I first met many of today’s big names in security: Ed Skoudis, Ron Gula, Marty Roesch, Stephen Northcutt, Chris Klaus, JD Glaser, Greg Hoglund, and Bruce Schneier.

John responded back:

I couldn’t agree more. That was an absolutely amazing time. I was on my second security startup (NodeWarrior Networks,) times were booming and this generation of the security industry as we know it was being given birth to.

Asking Ron Gula’s wife something about Dragon and her looking back at me like I was a total n00b

Asking Ron Gula the same question and having him confirm that I was, in fact, a complete tool

Staying up all night drinking, writing code in Perl and doing dangerous things on other people’s networks

Participating in my first CTF

Almost getting arrested for B&E as I tried to rig the CTF contest by attempting to steal/clone/pwn/replace the HDD in the target machine. The funniest part of that was almost pulling it off (stealing the removable drive) but electrocuting myself in the process — which is what alerted my presence to the security guard.

Interrupting Lance Spitzner’s talk by stringing a poster behind him that said “www.lancespitznerismyhero.com” (a domain I registered during the event.)

Watching Bruce Schneier scream at the book store guy because they, incredulously, did not stock “Practical Cryptography“

Sitting down with Ed Skoudis (who was with SAIC at the time, I believe,) looking at one another and wondering just what the hell we were going to do with our careers in security

Spending $14,000 (I shit you not, it was the Internet BOOM time, remember) by hitting 6 of the best restaurants in New Orleans with a party of hax0rs and working the charge department at American Express into a frenzy (not to mention actually using the line from Pretty Woman: “we’re going to spend obscene amounts of money here” in order to get in…)

Burning the roof of my mouth by not heeding the warnings of the waitress at Cafe Dumonde, biting into a beignet which cauterized my mouth as I simultaneously tried to extinguish the pain with scalding hot Chicory coffee.

I came back from that week knowing with every molecule in my body that even though I’d been “doing” security for 5 years already, it was exactly what I wanted to for the rest of my life.

We spoke for almost an hour on all sorts of great discussion points related to Cloud Computing, specifically focusing on Trust (which I define in context as Security, Compliance, Control, Reliability and Privacy.)